The present application relates generally to HTML based applications such as web browser and embedded HTML-based applications and, more particularly, to HTML-based application security.
Communications networks are widely used for nationwide and worldwide communication of voice, multimedia and/or data. As used herein, the term “communications network” includes public communications networks, such as the Public Switched Telephone Network (PSTN), terrestrial and/or satellite cellular networks, private networks and/or the Internet.
The Internet is a decentralized network of computers that can communicate with one another via Internet Protocol (IP). The Internet includes the World Wide Web (web) service facility, which is a client/server-based facility that includes a large number of servers (computers connected to the Internet) on which web pages or files reside, as well as clients (web browsers), which interface users with the web pages. The topology of the web can be described as a network of networks, with providers of network services called Network Service Providers, or NSPs. Servers that provide application-layer services may be referred to as Application Service Providers (ASPs). Sometimes a single service provider provides both functions.
The Open Web Application Security Project (OWASP) is an organization whose goal is to assist individuals, businesses and agencies in finding and using trustworthy software. OWASP maintains a “Top Ten” list of the ten most dangerous current web application security flaws, along with suggested methods for dealing with those flaws.
Cross-site request forgery (CSRF) currently is one of OWASP's top ten most dangerous security flaws. CSRF is a method of attacking a web site wherein an intruder masquerades as a legitimate and trusted user of the web site. CSRF attacks can be performed by stealing the identity of an existing user and then hacking into a web server using that identity. A CSRF attacker may also trick a legitimate user into unknowingly sending Hypertext Transfer Protocol (HTTP) requests to a web site that returns sensitive user data to the attacker. A CSRF attack can be used to modify firewall settings, post unauthorized data on a forum and/or conduct fraudulent financial transactions. CSRF attacks may also be executed, for example, by using a Hypertext Markup Language (HTML) image tag, or JavaScript image object. Typically, an attacker will embed an image tag or object into an email or website so that, when a user loads the page or email, they perform a web request to a web site selected by the attacker. For example, and image tag such as <img src=“http://host/?command”>, when loaded by a user performs a web request to the address specified in the tag (i.e., http://host/).
CSRF protection is required for Payment Card Industry (PCI) compliance with security standards developed to protect card information during and after a financial transaction. Conventional approaches to protecting against CSRF attacks include tagging HTML elements, such as forms, with a hidden input variable that is randomly generated and checked against the page session to validate that the source of the request is in fact the authenticated party. For example, when a web application generates a link or form that invokes a web application upon activation by a user, a query parameter is included with the link or form by the web application. Prior to executing the web application in response to user activation of the link of form, a token value provided by the user is compared with a stored value to verify that the user is authorized to invoke the web application. Thus, conventional CSRF protection requires code additions to each web application in order to perform the above-described operations. Unfortunately, if access to the code of a web application is not available, it may not be possible to implement CSRF protection for that application.
In addition, in enterprises with many web applications, code additions/changes necessary to implement CSRF protection can be costly and time consuming to implement and manage. While tagging HTML content, such as forms, with a hidden value is not difficult in and of itself, the amount of content that can expose private data elements across a large enterprise can make this difficult. Often, new unprotected forms crop up faster than they can be found and corrected. As such, for large enterprises, such as enterprises having hundreds or thousands of web sites, closing all CSRF vulnerabilities may not be possible.